Topic: How to prevent a VB(A) app being hijacked?

[havano]

Some time ago, I assisted in creating a powerful Autocad macro for a customer. Since then, some of his employees have left him to work for the competition, and so has the macro.

Can you think of a (simple) way to protect VB(A) applications against unauthorized use?

[TR]

Lock the code and create a function that checks a network share to see if a file exists. If the file doesn't exist at the exact path the program will not run. It would help if the if the file is in a share on the server that ends with a $ (i.e. "\\server\my_secret_folder$") as it will not show up to the users in Windows Explorer.

[havano]

Thanks Tim. Alas, unlocking helps are available. And wouldn't your secret folder show up with certain Explorer settings?

[David Hall]

only if the average user had rights to see it

[David Hall]

Tim, how would the vb app see the $ share if the user runnng the app didn't have the rights to see it?

[havano]

To be honest, I expected solutions which made use of Autocad serial numbers. 

[Chuck Gabriel]

In Windows, share names that end with a dollar sign don't appear while browsing regardless of user level or explorer settings.  You have to know the share exists and what it is called to access it.

[Jürg Menzi]

To be honest, I expected solutions which made use of Autocad serial numbers. 

How about network installs?

[Draftek]

Another good reason to use a dll instead of vba.

You can't compile vba code and so any savy user can figure out how to read it.

[havano]

Sofar, Tim Riley comes the closest to what I need. I found a VBA snippet that uses a rather cryptic way to check a file's existance, so even uncompiled the code doesn't give itself away easily. Also, I could use it as a time bomb, e.g. mess up a variable of which the value will be used somewhere else in the program.

[MP]

I use a variant of the encryption referred to in this thread compiled to a dll with other functonality key to a program's operation; all string info encrypted, and I do mean all. It's not enough to have an encryption module that returns a flag whether or not a user can proceed -- all they have to do is figure out which function is called, write they're own dll that has the same function signature, have said function return true / whatever and poof, they have access.

I'm not paranoid -- but those guys following me sure are.

This has served me well for many years.

[havano]

Thanks MP, I thought in the line of accompanying the app with a INI-file, which contains the encrypted serial number(s) of the authorised Autocad user(s). The main app reads the serial number of the Autocad object it calls and checks it against the encrypted serial numbers. I found a free-of-charge blowfish en-/decryption dll on the internet which I could use: blofsh10.dll

Code: [Select]

'This gets the current Autocad serial number
Dim Serialnumber As String
Serialnumber = ThisDrawing.GetVariable("_PKSER")To prevent people from replacing the dll with one that circumvents the check, the INI file could contain a control string which would have to be correctly decrypted using the hard-coded password (the decryption key)  in the main app.

[DaveW]

Another good reason to use a dll instead of vba.

You can't compile vba code and so any savy user can figure out how to read it.

I second that!

I put up a sample vb project that makes a dll here:

http://www.websitetoolbox.com/tool/post/milllister/vpost?id=1071084

Stuff your code in there, read the directions, and your done.

Any questions, feel free to call me.


Dave

[havano]

I wouldn't mind using simple XOR encrypting against a key/password string. But how can I keep the resulting string within the 0-9, A-Z, a-z etc. range, and be able to accurately decrypt it?
A sample code snippet would be wellcome!

[MP]

I wouldn't mind using simple XOR encrypting against a key/password string. But how can I keep the resulting string within the 0-9, A-Z, a-z etc. range, and be able to accurately decrypt it?
A sample code snippet would be wellcome!

Simplistic and banged out quick --

Code: [Select]

Function Encrypt(ByVal text As String, _
                 ByVal mask As String) _
                 As String

    Dim i           As Long, _
        j           As Long
   
    Dim textBytes() As Byte, _
        maskBytes() As Byte
       
    Dim lbMask      As Long, _
        ubMask      As Long
       
    Dim xorCode     As Integer

    textBytes = text
    maskBytes = mask
   
    lbMask = LBound(maskBytes)
    ubMask = UBound(maskBytes)
   
    j = LBound(maskBytes)
   
    For i = LBound(textBytes) To UBound(textBytes) Step 2
        xorCode = textBytes(i) Xor maskBytes(j)
        ''  modify this to suit
        If  32 < xorCode And _
            xorCode < 127 And _
            xorCode <> 34 Then textBytes(i) = xorCode
        j = j + 2: If ubMask < j Then j = lbMask
    Next i
   
    Encrypt = textBytes

End Function
Tested in VB's immediate window --

? Encrypt("http://www.theswamp.org", "123456")

YFGD://EDC.BYW@CT[A.\FR

? Encrypt("YFGD://EDC.BYW@CT[A.\FR", "123456")

http://www.theswamp.org